The big lie of millions of information security jobs

Ben Rothke
8 min readNov 28, 2023

How can you know how many security jobs there are if there’s no real statistical data available?

https://imgflip.com/i/87fumc

Millions of information security jobs

As I wrote in Is there really an information security jobs crisis?, reports of millions of information security jobs are an exaggeration. Be it Cybersecurity Ventures which says there will be 3.5 million unfilled positions in 2025, or the ISC2 Cyber Workforce Study 2023 stating that there are roughly 4 million cybersecurity professionals needed worldwide, those numbers are not statistically defendable.

Nearly every story in the media, from Fortune with The cybersecurity industry is short 3.4 million workers — that’s good news for cyber wages, IBM with Bridging the 3.4 million workforce gap in cybersecurity, to the Institute for Pervasive Cybersecurity at Boise State University all reference the same ISC2 and Cybersecurity Ventures data.

The lack of empirical data has created a vacuum and no organization has filled that better than Cybersecurity Ventures. Even the vaunted McKinsey & Company quoted them in New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers.

And when it comes to predictions about information security jobs — the road is lined with failed prognostications. Perhaps none greater than Analytics Insight who in 2021 estimated 10 million new jobs in cybersecurity by 2023.

Which begs the question — how many information security jobs are there? The short answer is that no one has a clue. The problem is that there is no statistically verifiable and empirically researched data on the number of current information security jobs and what the future holds. All data to date is based on surveys and extrapolations, which is a poor way to do meaningful statistical research.

Veteran industry analyst Richard Stiennon follows the mantra of question everything. He astutely notes that all claims need to cite evidence. Headline-grabbing claims of millions of jobs are one thing; but without strong evidence, they are just histrionic headlines.

--

--

Ben Rothke

I work in information security at Tapad. Write book reviews for the RSA blog, & a Founding member of the Cloud Security Alliance and Cybersecurity Canon.